mirror of
https://github.com/privacyguides/privacyguides.org.git
synced 2024-10-01 01:35:57 -04:00
Rebased on #2606, swapped legacy admonitions
This commit is contained in:
parent
4328038dc5
commit
885f067587
@ -18,4 +18,3 @@ The articles marked with a :material-star: are our more mature articles.
|
||||
- [macOS Overview](macos-overview.md)
|
||||
- [Qubes Overview](qubes-overview.md) :material-star:
|
||||
- [Windows Overview](windows/index.md)
|
||||
|
||||
|
@ -9,10 +9,13 @@ If you wish to limit the amount of data Microsoft obtains from your device, an [
|
||||
|
||||
![user-account](/assets/img/windows/user-account.webp)
|
||||
|
||||
!!! note
|
||||
Microsoft is pushing users to use Microsoft accounts for other editions except Education and Enterprise after installation.
|
||||
<div class="admonition note" markdown>
|
||||
<p class="admonition-title">Note</p>
|
||||
|
||||
So, You could also follow the guide by [ghacks.net](https://www.ghacks.net/2022/05/13/how-to-bypass-the-microsoft-account-requirement-during-windows-setup/) to bypass the Microsoft account requirement during setup and use Local account.
|
||||
Microsoft is pushing users to use Microsoft accounts for other editions except Education and Enterprise after installation.
|
||||
|
||||
So, You could also follow the guide by [ghacks.net](https://www.ghacks.net/2022/05/13/how-to-bypass-the-microsoft-account-requirement-during-windows-setup/) to bypass the Microsoft account requirement during setup and use Local account.
|
||||
</div>
|
||||
|
||||
While setting up, it is recommended to use a generic name such as `user` and `host` and avoid identifying terms such as your name or operating system. This can make it more difficult for privileged `Win32` apps or attackers to discern your identity.
|
||||
|
||||
@ -21,12 +24,17 @@ For security, it's recommended to set up Windows Hello on all of your accounts b
|
||||
- [ ] Toggle off all privacy related settings as shown in the image:
|
||||
|
||||
![Privacy Settings](/assets/img/windows/privacy-settings.webp)
|
||||
|
||||
## Encrypting the Drive
|
||||
|
||||
After you have installed Windows, turn on full disk encryption (FDE) using BitLocker via the Control Panel.
|
||||
|
||||
!!! info "Choosing the Way to Encrypt"
|
||||
It is recommended to use only the Control Panel because if you go to encrypt via settings app, Microsoft named it as `Device Encryption` and designed it in a way that the encryption keys for BitLocker would be stored on Microsoft's server which is attached to your Microsoft account. This can be dangerous to your privacy and security as anyone who gains access to your account, as could an attacker if they were able to gain access to Microsoft's servers or any Law Enforcement could by a Gag order.
|
||||
<div class="admonition info" markdown>
|
||||
<p class="admonition-title">Choosing the Way to Encrypt</p>
|
||||
|
||||
It is recommended to use only the Control Panel because if you go to encrypt via settings app, Microsoft named it as `Device Encryption` and designed it in a way that the encryption keys for BitLocker would be stored on Microsoft's server which is attached to your Microsoft account. This can be dangerous to your privacy and security as anyone who gains access to your account, as could an attacker if they were able to gain access to Microsoft's servers or any Law Enforcement could by a Gag order.
|
||||
|
||||
</div>
|
||||
|
||||
The best way is to go to the Control Panel by searching for it in the Start Menu or from the context menu (right-click) in File Explorer and set it up for all of the drives that you have.
|
||||
|
||||
@ -38,8 +46,12 @@ Bitlocker is suggested because of the native implementation by the OS and along
|
||||
|
||||
Enable the Following group policies before you start encrypting your drives.
|
||||
|
||||
!!! tip
|
||||
To go to it, search **Group Policy** in the **Windows Search Bar** and press **Enter** or type `gpedit.msc` in ++win+r++. Then, proceed as mentioned below.
|
||||
<div class="admonition tip" markdown>
|
||||
<p class="admonition-title">Tip</p>
|
||||
|
||||
To go to it, search **Group Policy** in the **Windows Search Bar** and press **Enter** or type `gpedit.msc` in ++win+r++. Then, proceed as mentioned below.
|
||||
|
||||
</div>
|
||||
|
||||
General Policies :
|
||||
|
||||
@ -70,8 +82,12 @@ These policies ensure that your drives are encrypted with `XTS-AES-256` Bit encr
|
||||
|
||||
### Setting up Pre-boot Authentication
|
||||
|
||||
!!! warning "Update your TPM"
|
||||
Before enabling Bitlocker in your device,It is strongly recommended to update your TPM chip by downloading package only from **OEM** Websites.
|
||||
<div class="admonition warning" markdown>
|
||||
<p class="admonition-title">Update your TPM</p>
|
||||
|
||||
Before enabling Bitlocker in your device,It is strongly recommended to update your TPM chip by downloading package only from **OEM** Websites.
|
||||
|
||||
</div>
|
||||
|
||||
As you are using Windows 11, TPM is used to encrypt and decrypt the drive but it is susceptible to [cold boot attacks](https://blog.elcomsoft.com/2021/01/understanding-bitlocker-tpm-protection/). So, it is recommended to use TPM + PIN to protect the drives
|
||||
|
||||
@ -79,21 +95,28 @@ After enabling all the group policies above, Go to Control panel and click on Ad
|
||||
|
||||
You can check if it's enabled by typing `manage-bde -status`. It will normally show in **Key Protectors**: **Numerical Password** (it's the recovery key) and **TPM And PIN**.
|
||||
|
||||
??? abstract "Disabling pre-boot Authentication (Not Recommended)"
|
||||
<div class="admonition abstract" markdown>
|
||||
<p class="admonition-title">Disabling pre-boot Authentication (Not Recommended)</p>
|
||||
|
||||
- open a **terminal** as an **administrator** and type this command `manage-bde -protectors -add c: -TPM`.
|
||||
- You can again check if it worked by typing `manage-bde -status c:` and it will show you **Numerical Password** and **TPM**
|
||||
- open a **terminal** as an **administrator** and type this command `manage-bde -protectors -add c: -TPM`.
|
||||
- You can again check if it worked by typing `manage-bde -status c:` and it will show you **Numerical Password** and **TPM**
|
||||
|
||||
!!! info
|
||||
The above Group Policy configuration tells the TPM to release the encryption keys after entering PIN instead of releasing it on boot automatically.
|
||||
</div>
|
||||
|
||||
Doing this will set a double password. So, you enter the PIN to release the encryption keys from TPM & boot Windows and another credential to unlock your user account.
|
||||
<div class="admonition info" markdown>
|
||||
<p class="admonition-title">Info</p>
|
||||
|
||||
The pre-boot PIN not only protects the OS drive but also other fixed drives used just for storage if bitlocker is enabled for that drive also.
|
||||
The above Group Policy configuration tells the TPM to release the encryption keys after entering PIN instead of releasing it on boot automatically.
|
||||
|
||||
Doing this will set a double password. So, you enter the PIN to release the encryption keys from TPM & boot Windows and another credential to unlock your user account.
|
||||
|
||||
The pre-boot PIN not only protects the OS drive but also other fixed drives used just for storage if bitlocker is enabled for that drive also.
|
||||
|
||||
</div>
|
||||
|
||||
When you do this, the encryption keys of your drive are only unlocked once you enter the PIN, and the decryption happens after. If you forget or lose the PIN, you won't be able to access your drives and OS anymore, and the only way to recover is using the Recovery Key provided during the initial setup of BitLocker. **Make sure you store it in a safe place**, such as a password manager, and keep backups of your Recovery Key or even use an encrypted USB drive.
|
||||
|
||||
The preboot authentication is recommend to avoid data being accessed by removal of user Account passwords by methods like this - https://youtu.be/0gOZoroPNuA and access data even though Bitlocker is enabled and managed by TPM
|
||||
The preboot authentication is recommend to avoid data being accessed by removal of user Account passwords by methods like this - [How to Reset Windows 11 Password Without Any Software](https://youtu.be/0gOZoroPNuA) and access data even though Bitlocker is enabled and managed by TPM
|
||||
|
||||
But when you use TPM + Startup PIN, nobody can restart to load the shell and bypass password. Because you need to enter your PIN to go to the Advanced Startup settings as in the video.
|
||||
|
||||
@ -118,8 +141,12 @@ It is recommended to encrypt the OS drive at the least. Encrypting secondary dri
|
||||
|
||||
- You might be afraid that the user accessing your device via another User account can access your Internal drive and access critical files violating your privacy. Refer, [Privacy page](windows/privacy/#restrict-access-to-data-drives) on How to restrict access to certain drives only or use EFS on a per-file basis. You can read more about EFS on [Privacy page](privacy.md).
|
||||
|
||||
!!! tip
|
||||
You should ALWAYS do the quick shortcut ++win+l++ to lock your device when you are away to prevent unauthorized access.
|
||||
<div class="admonition tip" markdown>
|
||||
<p class="admonition-title">Tip</p>
|
||||
|
||||
You should ALWAYS do the quick shortcut ++win+l++ to lock your device when you are away to prevent unauthorized access.
|
||||
|
||||
</div>
|
||||
|
||||
- If you don't like managing a standard account, then enforce authentication for Administrator accounts too like Standard ones by following the guide by [Wikihow](https://www.wikihow.tech/Require-UAC-Passwords-on-Administrator-Accounts)
|
||||
- This way, Even administrators need to use Password to approve processes instead of just clicking `Yes` or `No`.
|
||||
@ -149,8 +176,13 @@ As there are thousands of PC vendors that produce many models with different UEF
|
||||
|
||||
You can also know how to check if it is enabled or not in the guide.
|
||||
|
||||
!!! note
|
||||
System Guard is mostly available on Windows Secured-Core PCs not on regular consumer devices. So, Before enabling it check the requirements of your Device.
|
||||
<div class="admonition note" markdown>
|
||||
<p class="admonition-title">Note</p>
|
||||
|
||||
System Guard is mostly available on Windows Secured-Core PCs not on regular consumer devices. So, Before enabling it check the requirements of your Device.
|
||||
|
||||
</div>
|
||||
|
||||
## Protection against Malware and Viruses
|
||||
|
||||
- Just use the built-in Windows Defender Security to protect against threats and stick to it. Don't use any other Antivirus or Anti-Malware software [as it can weaken your security and your privacy](https://wonderfall.space/windows-hardening/#microsoft-defender-antivirus).
|
||||
@ -163,28 +195,36 @@ You can also know how to check if it is enabled or not in the guide.
|
||||
|
||||
- [x] Enable [Microsoft Defender Application Guard](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview). After installing by going to "[Turn Windows Features on or off](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard)" you can enable it. This runs Microsoft Edge in an Isolated Hyper-V container preventing unknown Malware from damaging the system.
|
||||
|
||||
!!! warning
|
||||
When you use Microsoft Defender Application Guard it bypasses the VPN you are using as when you use WDAG is launching the application in what is essentially a virtual machine, so it bypasses the host, where the VPN is connected.
|
||||
<div class="admonition warning" markdown>
|
||||
<p class="admonition-title">Warning</p>
|
||||
|
||||
When you use Microsoft Defender Application Guard it bypasses the VPN you are using as when you use WDAG is launching the application in what is essentially a virtual machine, so it bypasses the host, where the VPN is connected.
|
||||
|
||||
</div>
|
||||
|
||||
- [x] Enable [Memory Integrity](https://support.microsoft.com/en-us/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also called Hypervisor-Protected Code Integrity) in Windows Defender settings which will run important system process isolated in an environment that cannot be attacked by viruses & malware.
|
||||
|
||||
- [x] Enable `Display File Extensions` as most problems start here.
|
||||
|
||||
??? example "Enabling file extension"
|
||||
On standard Windows settings, Malware can hide itself if the filename is like: `Secure-File.txt.exe`
|
||||
<div class="admonition example" markdown>
|
||||
<p class="admonition-title">Enabling file extension</p>
|
||||
|
||||
What you see? A file named `Secure-File.txt`
|
||||
On standard Windows settings, Malware can hide itself if the filename is like: `Secure-File.txt.exe`
|
||||
|
||||
Of course the attacker can add a different icon to the file, so it looks like you open the file type extension you think.
|
||||
What you see? A file named `Secure-File.txt`
|
||||
|
||||
And if you open it, the Malware start's.
|
||||
Of course the attacker can add a different icon to the file, so it looks like you open the file type extension you think.
|
||||
|
||||
Just Open the File Explorer's settings and change it to show File Extensions by clicking on `View` > `Show` or by configuring via [Registry Editor](https://github.com/beerisgood/Windows11_Hardening/blob/master/always%20display%20file%20typ%20extension)
|
||||
And if you open it, the Malware start's.
|
||||
|
||||
Just Open the File Explorer's settings and change it to show File Extensions by clicking on `View` > `Show` or by configuring via [Registry Editor](https://github.com/beerisgood/Windows11_Hardening/blob/master/always%20display%20file%20typ%20extension)
|
||||
</div>
|
||||
|
||||
## Apps
|
||||
|
||||
- Avoid any types of Cleaning software at all cost. As Microsoft is working on its own implementation specfically designed for windows.
|
||||
- To Install apps, using the `winget` (Windows Package manager). More details in [Sandboxing page](/windows/sandboxing/#using-winget-to-install-sofwaret)
|
||||
|
||||
## Security Improvements
|
||||
|
||||
- Use [PeaZip](https://peazip.github.io/) archiver instead of 7-zip as it disables [Mark of the Web(MoW)](https://nolongerset.com/mark-of-the-web-details/) [support by default](https://github.com/nmantani/archiver-MOTW-support-comparison#*2) leading to execution of malicious instantly after extracting.
|
||||
@ -200,12 +240,17 @@ You can also know how to check if it is enabled or not in the guide.
|
||||
- Go to `Domain`, `Private` and `Public` network settings
|
||||
- Scroll and check the box under **Incoming Connections**
|
||||
|
||||
!!! warning "A note regarding screen casting"
|
||||
If you try to cast your screen to another device or cast another device screen to your device via Wireless display (Optional feature). You won't be able to connect the devices. As we have blocked Incoming connections. Miracast (Wireless casting) requires incoming connection to send data back and forth to show the screen on other or vice versa.
|
||||
<div class="admonition warning" markdown>
|
||||
<p class="admonition-title">A note regarding screen casting</p>
|
||||
|
||||
If you want to cast, then disable incoming connections in public network and cast your device and block connection again.
|
||||
If you try to cast your screen to another device or cast another device screen to your device via Wireless display (Optional feature). You won't be able to connect the devices. As we have blocked Incoming connections. Miracast (Wireless casting) requires incoming connection to send data back and forth to show the screen on other or vice versa.
|
||||
|
||||
If you want to cast, then disable incoming connections in public network and cast your device and block connection again.
|
||||
|
||||
There is no problem if you use normal Projection via cable.
|
||||
|
||||
</div>
|
||||
|
||||
There is no problem if you use normal Projection via cable.
|
||||
## Keeping your device up-to-date
|
||||
|
||||
You should keep your Windows Device up-to-date by enabling automatic updates. It is recommended to do so to keep your device with latest security fixes and new features.
|
@ -12,9 +12,9 @@ You can enhance your privacy and security on Windows without downloading any thi
|
||||
|
||||
- Initial Installation (coming soon)
|
||||
- [Group Policy Settings](group-policies.md)
|
||||
- Privacy Settings (coming soon)
|
||||
- Application Sandboxing (coming soon)
|
||||
- Security Hardening (coming soon)
|
||||
- [Privacy Settings](privacy.md)
|
||||
- [Application Sandboxing](sandboxing.md)
|
||||
- [Security Hardening](hardening.md)
|
||||
|
||||
<div class="admonition example" markdown>
|
||||
<p class="admonition-title">This section is new</p>
|
||||
|
@ -30,7 +30,8 @@ If you read this article - [https://www.softscheck.com/en/blog/windows-10-enterp
|
||||
Disabling full telemetry or sending basic data to Microsoft is totally upto the user's threat model.
|
||||
|
||||
- [ ] Disable `Automatic Sample Submission` in Windows Defender, as the feature will send your files as a sample for Signature Database and might leak your data. You can do it via the below Group Policy so to not prompt you again and again constantly.
|
||||
```
|
||||
|
||||
```text
|
||||
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > MAPS > Send file samples when further analysis is required to Never Send.
|
||||
```
|
||||
|
@ -25,12 +25,11 @@ The core of Win32 is the Win32 API implemented in the Windows SubDLLs (DLLs) and
|
||||
| UWAs | Windows |
|
||||
| :--------- | :---------------------------------- |
|
||||
|UWAs run as restricted, containerized `AppContainer` processes that run by accessing the WinRT API, a subset of COM functionalities and the Win32 API. They have specific properties that define process restrictions in terms of the system resources that processes can access.| Win32 applications run as Windows native, traditional processes that run by accessing the Win32 API and COM functionalities to their full extent and a subset of the WinRT API to directly access all system resources. They do not run as restricted processes, all system functionalities are by design directly available to them.|
|
||||
|Only a single instance of a given UWA may run at a given time. | Any number of instances of a given Win32 application may run simultaneously.
|
||||
|UWAs are distributed as application packages, archive files with a pre-defined format and required content that is necessary for the deployment and operation of UWAs |The way in which Win32 applications are distributed is not restricted by the operating system. It is defined by the application vendors.
|
||||
|Only a single instance of a given UWA may run at a given time. | Any number of instances of a given Win32 application may run simultaneously. |
|
||||
|UWAs are distributed as application packages, archive files with a pre-defined format and required content that is necessary for the deployment and operation of UWAs |The way in which Win32 applications are distributed is not restricted by the operating system. It is defined by the application vendors. |
|
||||
|
||||
The above comparison gives a clear cut that UWA/UWP apps are the best ones to use in terms of sandboxing the app.
|
||||
|
||||
|
||||
### Choosing the way to install software
|
||||
|
||||
UWA apps are primarily distributed through Microsoft store and are counter-signed by Microsoft while as third party UWA's are signed by the vendor without Microsoft's signature.
|
||||
@ -51,23 +50,29 @@ When you see an app in store and scroll down to *Additional Information* sectio
|
||||
|
||||
![UWP in store](/assets/img/windows/UWP-in-MS-Store.webp)
|
||||
|
||||
If the Win32 App, Microsoft store will explicitly state that it is`Provided and Updated by `****` ` and `Uses all System resources` as in the image below:
|
||||
If the Win32 App, Microsoft store will explicitly state that it is Provided and Updated by `****` and `Uses all System resources` as in the image below:
|
||||
|
||||
![Win32 in store](/assets/img/windows/Win32-in-MS-Store.webp)
|
||||
|
||||
!!! note "Un-sandboxed UWP apps"
|
||||
Some UWP apps in the store due to the lift of restrictions in Microsoft store developers can submit the app with a property named `runFullTrust` which disables sandboxing of that UWP application and shows that `Uses all System Resources` in *Additional Information* section such as Firefox. By this you can know if a UWP app is sandboxed or not.
|
||||
<div class="admonition note" markdown>
|
||||
<p class="admonition-title">Un-sandboxed UWP apps</p>
|
||||
|
||||
If it is sandboxed, it will show only certain permissions in *Additional Information* section.
|
||||
Some UWP apps in the store due to the lift of restrictions in Microsoft store developers can submit the app with a property named `runFullTrust` which disables sandboxing of that UWP application and shows that `Uses all System Resources` in *Additional Information* section such as Firefox. By this you can know if a UWP app is sandboxed or not.
|
||||
|
||||
!!! abstract "Note"
|
||||
Most apps will ask that if the app needs to be used for all users or just for your user account. It is best you keep the app to your user Account. So, We achieve better sandboxing between different user accounts.
|
||||
If it is sandboxed, it will show only certain permissions in *Additional Information* section.
|
||||
</div>
|
||||
|
||||
##### Another way to find
|
||||
<div class="admonition abstract" markdown>
|
||||
<p class="admonition-title">Note</p>
|
||||
|
||||
Most apps will ask that if the app needs to be used for all users or just for your user account. It is best you keep the app to your user Account. So, We achieve better sandboxing between different user accounts.
|
||||
|
||||
</div>
|
||||
|
||||
#### Another way to find
|
||||
|
||||
[rg-adguard.net](https://store.rg-adguard.net/) is a third party Microsoft store app which can be used to download `.appx` files (Installer for UWP) and install UWP apps. You can use this site to download Age Restricted apps in store and Install it. **Note** that paid apps don't work unless you connect a Microsoft Account.
|
||||
|
||||
|
||||
## Using Winget to Install Sofware
|
||||
|
||||
Windows Package Manager winget command-line tool is bundled with Windows 11 and modern versions of Windows 10 by default as the App Installer.
|
||||
@ -88,7 +93,7 @@ If you understood about Winget, then this tool - [https://winstall.app/](https:/
|
||||
|
||||
Note : Be sure to install via Winget or using MSI installer to upgrade the app easily.
|
||||
|
||||
#### Benefits of winget
|
||||
### Benefits of winget
|
||||
|
||||
There are general advantages in having a package manager regardless of the operating system.
|
||||
|
||||
@ -105,7 +110,6 @@ The sandbox is temporary like TailsOS running on a USB drive. When it's closed,
|
||||
|
||||
You can know more from the Official [Documentation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview).
|
||||
|
||||
|
||||
**Use case of Sandbox:** The Windows Sandbox can be used to run unknown software or if you want to isolate your Workspace from the host with only Specific set of apps, etc.
|
||||
|
||||
### Using Sandbox
|
||||
@ -116,10 +120,14 @@ So, when opening the file, sandbox opens with the Configurations you had set up
|
||||
|
||||
If you do not understand the documentation, you can use [Windows Sandbox Editor](https://github.com/damienvanrobaeys/Windows_Sandbox_Editor) instead. It is a GUI application that can be used to create configuration files easily.
|
||||
|
||||
??? note "Regarding Windows Sandbox Editor"
|
||||
The repository doesn't provide a package. So, you need to download the whole codebase. After, extracting the zip Windows Defender or other Antivirus software may flag the [exe](https://github.com/damienvanrobaeys/Windows_Sandbox_Editor/tree/master/EXE) file as a malware. So, it is recommended to install it via the [Powershell Script](https://github.com/damienvanrobaeys/Windows_Sandbox_Editor/tree/master/Install%20on%20desktop%20(in%20case%20of%20issue%20with%20EXE)) they provide.
|
||||
<div class="admonition note" markdown>
|
||||
<p class="admonition-title">Regarding Windows Sandbox Editor</p>
|
||||
|
||||
By default, You cannot execute Scripts in Powershell and it is restricted to commands only. It is recommend you allow the Terminal to `Unrestricted` mode and use it to install the editor via Script after that change it back to `Restricted` [execution policy](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.2) to prevent accidental execution of malicious scripts in the future.
|
||||
The repository doesn't provide a package. So, you need to download the whole codebase. After, extracting the zip Windows Defender or other Antivirus software may flag the [exe](https://github.com/damienvanrobaeys/Windows_Sandbox_Editor/tree/master/EXE) file as a malware. So, it is recommended to install it via the [Powershell Script](https://github.com/damienvanrobaeys/Windows_Sandbox_Editor/tree/master/Install%20on%20desktop%20(in%20case%20of%20issue%20with%20EXE)) they provide.
|
||||
|
||||
By default, You cannot execute Scripts in Powershell and it is restricted to commands only. It is recommend you allow the Terminal to `Unrestricted` mode and use it to install the editor via Script after that change it back to `Restricted` [execution policy](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.2) to prevent accidental execution of malicious scripts in the future.
|
||||
|
||||
</div>
|
||||
|
||||
### Run programs instantly in Sandbox
|
||||
|
@ -13,8 +13,12 @@ Over the years, Microsoft has demonstrated a lot of privacy-invasive behaviour w
|
||||
|
||||
Windows 10 was [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, including:
|
||||
|
||||
!!! quote "[Criticism of Microsoft - Wikipedia](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection)"
|
||||
User's contacts and calendar events, location data and history, "telemetry" (diagnostics data) ... and "advertising ID", as well as further data when the Cortana assistant is enabled.
|
||||
<div class="admonition quote" markdown>
|
||||
<p class="admonition-title">[Criticism of Microsoft - Wikipedia](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection)</p>
|
||||
|
||||
User's contacts and calendar events, location data and history, "telemetry" (diagnostics data) ... and "advertising ID", as well as further data when the Cortana assistant is enabled.
|
||||
|
||||
</div>
|
||||
|
||||
At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. Only after [criticism](https://www.theverge.com/2016/7/21/12246266/france-microsoft-privacy-windows-10-cnil) from the France data protection commission, the [Electronic Frontier Foundation](https://www.eff.org/deeplinks/2016/08/windows-10-microsoft-blatantly-disregards-user-choice-and-privacy-deep-dive) and the [European Union](https://www.reuters.com/article/us-microsoft-dataprotection-eu-idUSKBN15Z1UI), Microsoft changed the way they collect telemetry, allowing users to choose between "Basic" (now renamed as `Required`) and "Full", with "Basic" mode collecting [much less telemetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects). Along with that, Microsoft collects a [lot more data from Windows 10](https://web.archive.org/web/20210711143017/https://privacytools.io/operating-systems/#win10).
|
||||
|
||||
@ -32,13 +36,13 @@ While using Windows, it is better to select either Windows **Enterprise** Editio
|
||||
|
||||
If you cannot get the above editions, you should opt for **Professional** Edition.
|
||||
|
||||
#### Editions to avoid
|
||||
### Editions to avoid
|
||||
|
||||
- It is not recommended to use forks or modified versions of Windows such as Windows AME. It should be avoided at all cost. Since modified versions of Windows, such as AME, don't get updates, antivirus programs like Defender can fall out of date or be disabled entirely, opening you up to attacks.
|
||||
|
||||
- Windows **Home** edition is **not** recommended as it does not have many advantages that Professional edition provides such as BitLocker Drive Encryption, Hyper-V, Windows Sandbox, etc. It also uploads Bitlocker Encryption keys to Microsoft servers which actually defies the aspect of the encryption implemented as the key was supposed to be hold by the user.
|
||||
|
||||
##### Recommendations
|
||||
#### Recommendations
|
||||
|
||||
We recommend you choose Windows 11 over Windows 10 as it is the latest version and brings many security-related improvements with it by default such as [Secure Boot](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot), [VBS](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs), [HVCI](https://docs.microsoft.com/en-us/windows-hardware/drivers/bringup/device-guard-and-credential-guard), etc. Windows 10 will stop getting updates after [October 14, 2025](https://docs.microsoft.com/en-us/lifecycle/products/windows-10-home-and-pro).
|
||||
|
||||
@ -53,16 +57,22 @@ To download the ISO. Follow these steps :
|
||||
- Download Media Creation tool under `Windows 11 Installation Media`
|
||||
- Open a Command prompt terminal in the directory where `mediacreationtool.exe` is downloaded.
|
||||
- And Input the following Command :
|
||||
```
|
||||
|
||||
```text
|
||||
mediacreationtool.exe /Eula Accept /Retail /MediaArch x64 /MediaLangCode en-US /MediaEdition Enterprise
|
||||
```
|
||||
|
||||
- If it asks for Activation key, Use this Generic Key `XGVPP-NMH47-7TTHJ-W3FW7-8HV2C`. This will just allow you to download the ISO but activation is totally upon the user.
|
||||
- Accept the UAC prompt
|
||||
- Download the ISO file or flash to a USB as you wish
|
||||
|
||||
!!! info "Note"
|
||||
- The ISO will consists **only** of Professional, Education & Enterprise editions with a size of ~4.2 GB (Instead of >5.5GB when you download the Multi-Edition ISO). When you download using the above way, no other editions such as Home are included in it.
|
||||
- If you want to change the language of the ISO file, Just change the `en-US` part with the appropriate language and country code as per your needs.
|
||||
<div class="admonition note" markdown>
|
||||
<p class="admonition-title">Note</p>
|
||||
|
||||
- The ISO will consists **only** of Professional, Education & Enterprise editions with a size of ~4.2 GB (Instead of >5.5GB when you download the Multi-Edition ISO). When you download using the above way, no other editions such as Home are included in it.
|
||||
- If you want to change the language of the ISO file, Just change the `en-US` part with the appropriate language and country code as per your needs.
|
||||
|
||||
</div>
|
||||
|
||||
### Activating Windows
|
||||
|
||||
@ -72,13 +82,21 @@ For activating Professional edition, you can buy the license key from resellers
|
||||
|
||||
If you are currently using Pro and want to upgrade to Enterprise. Then, Follow the guide [here](https://www.kapilarya.com/how-to-upgrade-windows-11-pro-to-enterprise-edition)
|
||||
|
||||
!!! abstract "Note"
|
||||
This guide will be mostly on Windows 11 but some of the recommendations can be applied to Windows 10 too.
|
||||
<div class="admonition abstract" markdown>
|
||||
<p class="admonition-title">Note</p>
|
||||
|
||||
!!! danger "Warning"
|
||||
If you are going to install Windows 11, then install it only on supported devices. It is not recommended to use tools/scripts that are available online to bypass the requirements which would break the security of Windows 11 which it is aimed for.
|
||||
This guide will be mostly on Windows 11 but some of the recommendations can be applied to Windows 10 too.
|
||||
|
||||
**Never** download *Pirated* ISO Files
|
||||
</div>
|
||||
|
||||
<div class="admonition danger" markdown>
|
||||
<p class="admonition-title">Warning</p>
|
||||
|
||||
If you are going to install Windows 11, then install it only on supported devices. It is not recommended to use tools/scripts that are available online to bypass the requirements which would break the security of Windows 11 which it is aimed for.
|
||||
|
||||
**Never** download *Pirated* ISO Files
|
||||
|
||||
</div>
|
||||
|
||||
*[GP]: Group Policy
|
||||
*[VBS]: Virtualization-Based Security
|
@ -435,10 +435,6 @@ nav:
|
||||
- "android/obtaining-apps.md"
|
||||
- "desktop.md"
|
||||
- "router.md"
|
||||
- !ENV [WINDOWS, "Windows"]:
|
||||
- "windows/privacy.md"
|
||||
- "windows/hardening.md"
|
||||
- "windows/sandboxing.md"
|
||||
- !ENV [NAV_ADVANCED, "Advanced"]:
|
||||
- "alternative-networks.md"
|
||||
- "device-integrity.md"
|
||||
|
Loading…
Reference in New Issue
Block a user